The revision to the EU Data
Protection Directive is likely to be a regulation instead of a directive, which may result in more uniform data
protection laws across the EU. Nevertheless, EU data protection law is based on
local employment and labor law to a certain extent. Therefore, there is bound
to be some variation in implementation and the differences in culture and
enforcement are likely to continue. While there will be many exciting and
controversial changes to the Directive, from enormous fines to right to
oblivion, BCRs have already taken center stage. (You may read more about the
proposed revisions to the EU Data Protection Directive titled “Regulation of
the European Parliament and of the Council on the protection of individuals
with regard to the processing of personal data and on the free movement of such
data (General Data Protection Regulation)” here.)
The original BCR system was overly
bureaucratic and costly. When the BCR system first started, the applicant would
have to seek authorization from each Data Protection Authority In the EU.
Considering all of the language and cultural barriers to reviewing a set of
rules, this process was mired with reviews and re-reviews until every DPA’s
requirements were met. In fact, Peter Fleischer called BCRs data protection for the rich. Then
the system was more streamlined with 5-7 DPA reviews with a single DPA acting
as the lead. This shrank the time in obtaining from years to around 9 months.
However, the process is still expensive and cumbersome. That may not be the
case with the revisions to the Directive.
During her keynote address for the IAPP Europe Data
Protection Congress, European Commissioner Viviane Reding shared her plans to
make binding corporate rules even more effective with simplicity, consistent
enforcement, and innovation. She pointed to the bureaucratic nature of the BCR
I see this legal fragmentation as a
costly administrative burden. It wastes time and money. It is detrimental to
the credibility and efficiency of data protection authorities and data
I intend to propose a consistent and
streamlined approval process with a single point of contact for companies
amongst the data protection authorities. And, once the binding corporate rules
are approved by one data protection authority, I want them to be recognised by
all European data protection authorities. And there should be no need for
additional national authorisation in case of further transfers.
Though some DPAs have disagreed with
this approach, others have already started pushing for companies to start
preparing for these BCRs. Considering that the BCRs are likely to be broad
enough to apply to processors as well as data controllers, using BCRs for
inter-company as well as intra-company transfers may become a reality in the
Therefore, if they are simplified
and expanded to processors, 2012 may indeed be the year of the Binding
Corporate Rules. Instead of relying solely on Standard Contractual Clauses,
midsize companies can obtain authorization using one DPA for all of their
intra-company data flows. Furthermore, they may also be able to obtain BCR
authorization as safe processors. This should enable cloud service
providers to provide cloud services to other companies using their BCRs. Using
the older BCR system, companies were only able to obtain BCR authorization
applying to data for which they were the data controllers. With this new
system, BCRs for data processors should also be possible. As a result,
BCRs should become a true option for midsize companies and processors of all
kinds--and quite likely a favored option for cloud service providers.
may read about some of the BCRs that have already been approved by the EU DPAs
below. Note, however, that it is the underlying processes and policies that
support the BCRs that are difficult to prove and implement. Nevertheless, these
BCRs should prove useful in finding out what the DPAs are looking for in these
BP with the UK ICO as the lead DPA.
eBay with the Luxemburg DPA as the lead.
GE with UK
ICO as the lead DPA.
HP with the CNIL as the lead DPA.
the UK ICO as the lead DPA.
Philips (2) with the UK ICO as the lead DPA.
Aside from these companies, the
following companies have obtained authorization for BCRs:
Atmel Corporation with the UK ICO as
the lead DPA.
Express with the UK ICO
Myers Squibb with the CNIL as the lead DPA.
Incorporated with the UK ICO as the lead DPA.
Citigroup with the UK ICO
Master Blenders 1753 ("DEMB") ex Sara Lee International B.V.
(indirect subsidiary of Sara Lee Corporation) with the Dutch DPA
Post DHL with Germany's Federal Commissioner for Data Protection and Freedom of
Hotel Corporation with the UK ICO as the
SOS with the CNIL as the lead DPA.
Health Incorporated with the UK ICO as the lead DPA.
with the UK ICO
Nordisk with the Danish DPA as the lead.
with the CNIL as the lead DPA.
with the Berlin Data Protection Commissioner.
Ltd. With the Dutch DPA
International B.V. with the Dutch DPA
policies may also be available publicly. We hope to have this list updated with
the appropriate links in the near future.